Record and database field-level data access restrictions

Next, we will demonstrate how you can restrict data access with further precision, based on the infobase data itself.

1C:Enterprise features data access restrictions at record and database field level. For four major rights (read, insert, edit, and delete) you can specify which infobase data is available to users.

The restrictions are defined in a language that is a subset of the query language.

In the next section you will implement the following addition to the Employee accruals document: technicians can view their own salaries but cannot view their bonuses. In other words, technicians are not allowed to view Employee accruals documents that include bonus accrual records.

In Designer mode

Let us modify the technician rights.

Grant the Technician role the View right for the EmployeeAccruals document, and also the View right for the Payroll subsystem.

The right to view the Payroll subsystem is required because the document belongs to the subsystem.

Grant the View right for the WorkScheduleTypes catalog and for the MainAccruals chart of calculation types.

These rights are required because the EmployeeAccruals document references these objects.

In the list of configuration objects, click the EmployeeAccruals document, and then click its Read right.

This opens the Restrict access dialog box where you can describe the restrictions in a language that is a subset of the query language.

To simplify the process, let us use the query wizard.

Click Query Builder.

Actually this opens the data access restriction wizard, which is very similar to the query wizard (see fig. 22.13).

Note that the EmployeeAccruals table is automatically seleted on the Tables and fields tab and the wizard is opened on the Conditions tab.

Drag the CalculationType field of the Accruals tabular section to the list of conditions, select the Arbitrary check box, and populate the right-hand part of the condition as shown in listing 22.1 (fig. 22.13).

The current user can only read or edit some database object if a data access restriction grants them the right to perform this action (if the restriction condition is true).

In this example a user can read the Employee Accruals document

EmployeeAccruals WHERE ...

only if its Accruals tabular section

... WHERE EmployeeAccruals.Accruals ...

contains calculation types

... WHERE EmployeeAccruals.Accruals.CalculationType ...

that are not Bonus calculation type

... <> VALUE(ChartOfCalculationTypes.MainAccruals.Bonus)

Click OK.

The data access restrictions pane for the Technician role should look as shown in fig. 22.15.

Fig. 22.15. Access restriction for the Technician role

In 1C:Enterprise mode

Let us test the result.

Update the infobase by pressing F7 and start 1C:Enterprise for user Turner.

This user has the Technician role.

In the Payroll section, open the list of Employee accruals documents (fig. 22.16).

Fig. 22.16. List of Employee accruals documents

As you can see, the list only includes documents #1 and #3 because document #2 accrues bonuses.

This also illustrates a feature that is not directly related to data access restrictions.

At the bottom of the window you can see the history panel. In lesson three, during the creation of your first catalog, you added this panel to the applied solution window in Designer. Then you removed this panel in 1C:Enterprise mode.

But when a user makes a change in 1C:Enterprise mode, the change is only made for that user, while the panel settings specified in Designer are applied to the entire configuration. At the time you made that change your configuration did not have any users defined, that is why the panel is now visible. It will be visible to each new user.

To correct this, let us return to Designer and hide the history panel from there. This change will be applied to all users.

In Designer mode

In the Client application interface window, in the left pane, click History pane, and then click the Delete current item button (fig. 22.17).

Fig. 22.17. Specifying applied solution panel settings

Now let us return to access restrictions and complicate the task. We still do not want a technician to see the accrued bonuses but at the same time we do not want to hide the fact that such a document exists at all.

In other words, a technician should be able to see the document in the list of documents but should be unable to open it.

Let us look at the Employee accruals document access restriction that you set for the Technician role. You have not specified any fields there, so the restriction is applied to all the document fields (see fig. 22.15).

Let us unconditionally allow reading the document fields that are required to display the document in the list.

This is how you enable the display of the document in the list. But since you do not remove the existing condition for other fields, users still can open the document only if its tabular section includes calculation types other than Bonus.

Let us add another condition to the access restriction.

In the list of fields, select the following fields:

Ref

DeletionMark

Number

Date

Posted

In the access restriction column, enter WHERE TRUE (fig. 22.18).

Fig. 22.18. Specifying data access restrictions for the Technician role

Close the rights editor.

In 1C:Enterprise mode

Let us test the result.

Update the infobase by pressing F7 and start 1C:Enterprise as technician Turner.

In the Payroll section, open the list of Employee accruals documents (fig. 22.19).

Fig. 22.19. List of Employee accruals documents

The list of documents includes all the documents related to accruals. You can open and view documents #1 and #3 but if you attempt to open document #2, an access violation message is displayed (fig. 22.20).

Fig. 22.20. Access violation message

So you have reached the goal.

Now pay attention to the following issue. Everything is fine while document #2 only contains records related to bonus calculation. But remember the idea of the access restriction: a user can only read the Employee accruals document if its tabular section named Accruals includes calculation types other than Bonus. This means that if such a document contains calculation types other than Bonus, a technician can open and view this document.

Let us try this.

Run 1C:Enterprise as Administrator.

In the Payroll section, open the list of Employee accruals documents.

Open the document #2 and copy any of its rows.

In the new row, change the calculation type to Salary.

Post and close the document.

Close the session.

Run 1C:Enterprise as Turner.

In the Payroll section, open the list of Employee accruals documents.

Open the document #2.

The document is opened and you can see all its rows.

In Designer mode

Let us correct the access restriction.

Return to Designer.

To prevent viewing the document, you have to edit the data access restriction.

The new condition will be more complex, so we will also demonstrate how you can use templates in data restrictions.

Open the Technician role and click the Templates tab (fig. 22.21).

Fig. 22.21. Adding an access restriction template to the Technician role

Add a template named BonusIncluded, with the text shown in listing 22.2.

Actually it is a query to the tabular section of the EmployeeAccruals document, which returns either nothing or a single-field record that contain 1 as its value.

This record is returned if the document tabular section includes the Bonus calculation type.

The second condition in the query specifies the document whose tabular section is accessed. This condition uses a template parameter.

Listing 22.3. Data access restriction

AND Document.EmployeeAccruals.Accruals.Ref = #Parameter(1).Ref

#Parameter(1) will be replaced with the string specified when this template is called from the data access restriction.

Return to the Rights tab.

In the access restriction for other fields (the first row) replace the restriction with the text shown in listing 22.4 (fig. 22.22).

Listing 22.4. Data access restriction

DocAccruals WHERE NOT 1 IN (#BonusIncluded("DocAccruals"))

Fig. 22.22. Setting an access restriction for the Technician role

The #BonusIncluded("DocAccruals") statement calls the template. The template script is simply inserted here and the DocAccruals line replaces the first template parameter (#Parameter(1)).

As we have mentioned earlier, if a tabular section includes an accrual named Bonus, the query in the template returns a single record with 1 as its value.

This is why the condition shown in listing 22.4 allows reading DocAccruals when the template query does not return 1:

... WHERE NOT 1 IN (#BonusIncluded("DocAccruals"))

So it happens when the tabular section does not contain any Bonus accrual.

You could specify this restriction condition directly, without using a template. But the resulting script would have been more complicated (listing 22.5). And templates also provide the option to separate some parts of restriction conditions for reuse in other conditions.

Listing 22.5. Data access restriction

DocAccruals WHERE NOT 1 IN (
SELECT
1
FROM
Document.EmployeeAccruals.Accruals
WHERE Document.EmployeeAccruals.Accruals.CalculationType =
VALUE(ChartOfCalculationTypes.MainAccruals.Bonus)
AND Document.EmployeeAccruals.Accruals.Ref = DocAccruals.Ref)

Close the rights editor.

In 1C:Enterprise mode

Let us test the result.

Update the infobase by pressing F7 and start 1C:Enterprise as Turner.

In the Payroll section, open the list of Employee accruals documents.

As you remember, document #2 includes rows both with the Bonus calculation type and with the Salary calculation type. Until now you could open the document.

Try to open the document #2.

The platform displays an access violation message, which is exactly what we expect (see fig. 22.20).

In Designer mode

Since this example, which includes access restrictions at database record and field level, was intended solely for demonstration purposes, let us revert to the previous configuration state.

For the Technician role, for the EmployeeAccruals document, remove the Read right.

For the Payroll subsystem, remove the View right.

For the WorkScheduleTypes catalog and for the MainAccruals chart of calculation types, remove the Read right.

Run 1C:Enterprise as Administrator.

In the Payroll section, open the list of Employee accruals documents.

Open the document #2 and remove the last row (the recently added one).